New mass-mailing worm to be activated on February 1

Symantec, the IT security vendor has issued a high alert and upgraded the W32.Novarg.A@mm (also known as W32.Mydoom@mm) from a Level 3 to a Level 4 threat. The new mass-mailing worm is expected to be activated on February 1st, 2004 — two days from now.

Symantec, the IT security vendor has issued a high alert and upgraded the W32.Novarg.A@mm (also know as W32.Mydoom@mm) from a Level 3 to a Level 4 threat based on how fast the threat is spreading. The new mass-mailing worm is expected to be activated on February 1st, 2004 — two days from now. Additionally, the Symantec DeepSight Threat Analyst Team has increased the global ThreatCon from Level 1 to 2 due to the number of sample submissions Symantec has received and because of the malicious nature of the backdoor that the Trojan installed. Symantec Security Response is receiving submissions of W32.Novarg.A@mm at approximately the same rate it initially received submissions of Sobig.F@mm (discovered August 13, 2003). The centre received over 960 submissions, including several from the Middle East of W32.Novarg.A@mm in a nine-hour timeframe. Symantec is advising users and administrators to update their anti-virus software definitions through LiveUpdate. Additionally, the Worm Blocking technology found in the latest Symantec consumer products automatically detects this threat as it attempts to spread. “Mass-mailing worms often originate from people the user knows. We strongly urge our customers not to open or execute unexpected message attachments,” says Kevin Isaac, regional director, Symantec Middle East. W32.Novarg.A@mm is an encrypted mass-mailing worm that arrives as an attachment with a variety of different subject lines such as “hello,” “Mail Transaction Failed,” or “Test.” The attachment has one of the following extensions:.exe, .scr, .zip, .pif, .bat, or .cmd. Once opened, the worm copies itself to the system folder as taskmon.exe and listens to all TCP ports in the range 3127 to 3198, allowing hackers to potentially send additional files to be executed by the infected systems. The worm propagates by sending itself to addresses found in files with extensions such as .htm, .sht, .php, .asp, .dbx, .tbb, .adb, .pl, .wab, and .txt. It ignores address that end in .edu. The worm will also attempt to perform a denial-of-service attack between Feb. 1 and Feb. 12, 2004 against www.sco.com. The worm creates 64 threads that send HTTP ‘GET’ requests to the SCO site. Santa Cruz Operations (SCO) is a Unix vendor. Additional information (including removal instructions) on W32.Novarg@mm can be found on Symantec’s website.